Closed JSteeleIR closed 3 years ago
@JSteeleIR the error message seems clear about what is wrong, and below is what recommended. You may also check if you can follow the steps to resolve the issue
using a service account through the auth/impersonate_service_account setting
I can confirm, impersonating a service account does appear to work. From the terraform/google-provider perspective, I guess this is a non-issue.
We might want to file a bug with the Budget API team, though. I think this restriction is something that should be addressed on their side. I can think of no logical reason this API should be inaccessible from EUCs, and I think that restriction does force less-secure configurations.
@JSteeleIR I am glad you have found the solution. Closing the issue then. Feel free to reopen if you need further discussion regarding the provider.
I'm going to lock this issue because it has been closed for 30 days β³. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error π€ π , please reach out to my human friends π hashibot-feedback@hashicorp.com. Thanks!
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Terraform v0.14.0
Affected Resource(s)
Terraform Configuration Files
Debug Output
https://gist.github.com/JSteeleIR/445dbc6af5a3841a320a133ca082cf99
Expected Behavior
Terraform/google_billing_budget creates a billing budget on the specified account.
Actual Behavior
Terraform dies with the following error:
Steps to Reproduce
gcloud auth login
(obtain end-user credentials)terraform apply
Important Factoids
Requiring a user to create/impersonate a service account and export the Service Account Key (or launch a GCE instance) to enable Terraform to configure Cloud BIlling Budget is non-trivially complex, and seems excessive for the desired goal.
This limitation also forces users into a less-secure configuration, especially if the requisite service account has to be granted permissions to administer billing accounts. The resources involved in the additional attack surface (the exported service account key, or the GCE instance) are historically misplaced/misconfigured. A user attempting to use Terraform to configure billing limits may accidentally expose their project/billing account to abuse in the process of meeting these additional requirements.